Sparcle for Financial Services

Erasure and retention. One primitive.

Regulated finance has a structural contradiction: GDPR demands erasure, SEC and FINRA demand retention. Bolt and Aeira resolve it with one cryptographic primitive — disposal of the per-tenant key destroys readability while WORM ciphertext remains on the shelf. Both auditors satisfied. The verifier binary is in your hands; Sparcle is not in the loop.

Compliance frameworks

What Sparcle ships against.

Financial services compliance is the intersection of SOX, SEC 17a-4, FINRA 4511, GLBA, NYDFS Part 500, and increasingly GDPR Art. 17 when EU customer data is present. Each frame below maps to concrete implementation.

SOX (Sarbanes-Oxley, Sections 302 / 404)

ICFR-relevant records must be retained, attestable, and tamper-evident. Bolt's Ed25519-signed Merkle audit chain is designed to satisfy the integrity requirement; the standalone verifier is the artifact your auditor runs against the chain.

SEC Rule 17a-4 + FINRA 4511

Broker-dealer record-keeping. Records must be retained in WORM or equivalent non-rewritable, non-erasable format. Aeira's WORM-eligible storage path plus the cryptographic-disposal construction is designed to support both retention AND erasure obligations via the same primitive.

GLBA + NYDFS Part 500

Customer financial information protection. Bolt's PII masking at the LLM boundary, identity-bound retrieval, and audit-trail responses are the building blocks GLBA and NYDFS require for AI-touching workflows.

GDPR Art. 17 / 28 (when EU customer data is present)

Cryptographic erasure is designed to satisfy Right-to-be-Forgotten obligations while preserving SEC and FINRA retention duties. Erasure-with-retention via the same primitive, detailed at /trust/cryptographic-erasure.

Data residency posture

WORM and key custody, owned by you.

WORM-eligible audit chain

Aeira's audit chain pairs with S3 Object Lock, Azure Immutable Blob, or any object-lock-supporting storage. The chain is byte-stable; replay produces identical bytes.

Customer-held KMS

Vault Transit, AWS KMS, Azure Key Vault, or PKCS#11 HSM. The crypto-shred construction means Sparcle cannot read tenant data without the customer-held CMK.

Erasure-with-retention via one primitive

Cryptographic disposal of the per-tenant CMK destroys readability; WORM ciphertext remains on the shelf. SOX/SEC retention auditor sees the record; GDPR auditor sees the disposal receipt. Both verifiable.

Trading-floor and ops latency

p95 retrieval target ≤ 200ms on 100M-doc tenants. The first published benchmark ships during pilot. Aeira's keyword + vector + graph fusion is sharded for desk-side response latencies.

1-page brief

Take this to your CCO and your auditor.

The finance-vertical brief covers SOX and SEC posture, WORM-eligible storage, the cryptographic-disposal construction, and the trust artifacts an auditor reviews.

Workflows the founding team has built for

Four anchor use cases.

The workflows below are scoped with regulated-finance design partners. The Authority Policy SDK and connector configuration are the per-customer tuning points.

Trade-surveillance review

Cross-source synthesis across order management, communications surveillance, and policy. Authority Policy ranks current policy above superseded; identity-bound retrieval respects desk-and-role scopes.

KYC and counterparty research

Multi-source synthesis with citation hygiene. The Authority Policy demotes outdated or rescinded source-of-record material below the cut.

Regulatory filing prep (10-K, 13-F, ADV)

Pull authoritative material from internal source-of-record systems; every cited authority resolves; audit chain captures provenance for the auditor.

Audit and IG response

Time-bounded audit-chain export with the standalone verifier binary. The auditor runs the verifier; Sparcle is not in the verification loop.

Trust dossier for finance

The four artifacts your CCO and your auditor will ask for.

  • /trust/cryptographic-erasure — The construction designed to satisfy GDPR Art. 17 erasure AND SEC 17a-4 retention obligations with one primitive. The packet your auditor receives.
  • /trust/verify — The standalone audit-chain verifier. Your auditor runs it offline. The artifact a SOX or SEC audit pack relies on.
  • /trust/incident-response — Five-phase response framework with severity SLAs. The runbook a CISO at a regulated financial institution expects.
  • /trust/where-the-model-runs — How customer financial data is masked before any outbound LLM call; how the three deployment modes compare for trading-floor latency budgets.

Want to walk this against your specific recordkeeping posture?

A 30-minute finance architecture review covers your SEC and FINRA obligations, your WORM storage choice, your KMS custody, and the workflows your desks need. Founder-led; the engineering team is on the call.